Scorpène data leak: Who is responsible for the massive information security breach?

All hell broke loose for the Indian Navy and Defence Ministry on Wednesday when over 22,000 pages of top secret data on the capabilities of six highly advanced Scorpène submarines being built for the Indian Navy in Mumbai in collaboration with French company DCNS were leaked.

Reports said that the leaked document covers a variety of details including the secret stealth capabilities of the submarines — including, but not restricted to the frequencies at which they gather intelligence, what noise they make at various speeds and their diving depths, range and endurance.

The Indian Navy has concluded that the Scorpene submarine leak did not take place in India. Reuters

There are reports which have also said that the leaked document may not have that great an impact on the submarine project. Defence Minister Manohar Parrikar also said he does not suspect the leak to be 100 percent, since a lot of final integration lies with India.

But keeping in mind that the efficiency of submarines is based on stealth, a crucial document getting leaked is probably the worst thing which can happen for the submarines, the first of which was expected to go into service by the end of the year, the first step in the Indian navy's effort to rebuild its dwindling fleet.

India has a fleet of 13 aging submarines, only half of which are operational at any time, opening up a gap with China which is expanding its maritime presence in the Indian Ocean.

However, as we ponder on the importance of information security and how this massive breach took place, a very important question arises: Was it India's poor cyber security standard which was responsible for the leak or was it something else?

Till now, news reports have indicated that the onus of the leak probably lies on the French company DCNS.

The Indian Navy has said that the source of the leak was from overseas and not in India. An NDTV report explained in detail how Navy officers checked which officers had accessed the document and where the documents had been moved to for finding out possible points of leakage.

The Indian Navy's cyber experts, considered to be some of the best cyber experts in India, also looked for traces of possible leaks from computers in India and the cyber trail of the documents published by newspapers.

It was after this intense initial investigation that the Indian Navy came to the conclusion that the leak did not take place in India.

Another report in The Times of India said that a former French naval officer working as sub-contractor for the DCNS may have been behind the data leak, as suggested by a report in The Australian.

Even though DCNS initially suggested that the onus of the leak lied on India, what makes this highly improbable — apart from the initial investigation by the Indian Navy — is that DCNS's plans to sell frigates to Chile and an amphibious ship to Russia are also part of the leaks and are not linked to India's Scorpene deal.

This makes it all the more probable that the leak took place from DCNS' end.

The defensive statement by DCNS after the leak also suggest the onus of the leak lies on the company. It had said on Wednesday that it may have been the victim of "economic warfare".

The leak has raised doubts about the security of DCNS' submarine project in Australia where it is locked in exclusive negotiations after seeing off rivals for a A$50 billion ($38 billion) contract to build the Barracuda next-generation submarines.

But even though the leak seems to have taken place overseas, this incident only highlights the importance of cyber security, something which India has not been good at regulating. In 2010, the government suspected a massive Chinese espionage operation targeting the computers of the Prime Minister's Office, including the infection of the national security advisor's personal laptop.

An article in Hindustan Times also said that since India continues to import almost all of its military needs, the high number of players involved means a higher chance of leaks and hacks.

"Cyber security remains a policy domain fragmented among over a dozen agencies. Recommendations for a cyber security command remain on paper," the article further said.